Cyware Weekly Threat Intelligence, June 08 - 12, 2020

Share Blog post

The Good

Dealing with a significant cyber incident against a nation requires a whole-of-government approach along with an interface for bi-directional threat intelligence sharing. Taking critical measures in a similar vein, the U.S. Cyber Command and the National Guard have launched a new portal called ‘Cyber 9-Line’ to get a holistic view of threats occurring in the country and abroad. Furthermore, the CISA has proposed a strategy to disrupt malware attacks on ICS.

  • The Department of Homeland Security’s CISA has unveiled a strategy to help protect Industrial Control Systems (ICS) from being hacked. The strategy includes developing deep data capabilities to analyze and deliver information that can be used by the ICS community to disrupt the kill chain.
  • With an aim to gain a holistic view of cyber threats occurring in the nation, the U.S. Cyber Command along with the National Guard has created a new portal called Cyber 9-Line. The portal will enable Guard units from their respective states to quickly share cyber threat information with Cyber Command.
  • The National Cybersecurity Center of Excellence (NCCoE) and National Institute of Standards and Technology (NIST) are working with leading industry vendors and subject matter experts to devise new cybersecurity standards for firms offering telemedicine services. This will help the telehealth and telemedicine providers to understand the security threats lurking in their platforms.

The Bad

The week witnessed several organizations falling victim to ransomware attacks that disrupted operations at their facilities. Some of the victim organizations include the Fisher & Paykel Appliances, Honda Motor.Co, and VT San Antonio Aerospace.

  • Fisher & Paykel Appliances was struck down by Nefilim ransomware. The attack impacted the manufacturing and distribution operations at the firm, forcing the firm to shut down its facilities to deal with the ransomware.
  • The City of Florence paid a ransom of nearly $300,000 in bitcoin to restore its systems that were affected in a ransomware attack on June 5, 2020. Investigations reveal that it was the act of DoppelPaymer operators. In another incident, the City of Knoxville was forced to shut down its IT networks due to a ransomware attack.
  • Nintendo confirmed that nearly 300,000 user accounts were breached after an unauthorized login occurred on April 24, 2020. The personal data that was compromised in the incident included dates of birth and email addresses.
  • The Snake ransomware operators were responsible for attacks at Honda Motor.Co. and Edesur S.A. As a result, the operations at several plant locations of Honda and Edesur S.A were  halted. 
  • Nature &Co’s subsidiary Avon suffered a cyberattack, impacting some of its operations. Reportedly, the attack occurred due to a security weakness in the company’s digital security system.
  • Australian beverage giant, Lion, was hit by a major cyberattack that knocked out its internal IT systems. This impacted the processing of customer orders.
  • Columbia College became the third college in the U.S. to be attacked by the Netwalker ransomware within a week. This affected the employees’ and students’ data.
  • The Duluth Public School disclosed a data breach that compromised student accounts. The school authorities disabled the accounts to prevent additional unauthorized logins.
  • Admission systems, business processing systems, and email servers were taken offline following a cyberattack at the Life Healthcare Group. The extent of the attack is yet to be ascertained.
  • Details of some 900,000 credit cards held by South Koreans were sold on underground forums this week. The leaked information included card numbers, expiration dates, and validity dates.
  • Credentials of over 100 senior executives working in nine German MNCs were stolen in a phishing attack campaign. These firms were associated with a German government-private sector task force created to procure PPE kits.
  • Maze ransomware returned in a new attack against VT San Antonio Aerospace. The threat actors used a compromised administrator account to steal 1.5 TB of unencrypted files. The attackers also exfiltrated data from New York-based Threadstone Advisors.
  • Personal information of several U.S. police officers was leaked on social media in a targeted attack. The leaked data included home addresses, email addresses, and phone numbers of the officers.
  • A1 Telekom took almost six months to recover from a security breach that occurred in November 2019. The attackers had compromised some databases and even ran database queries in order to study the company’s internal network.
  • A flaw in the Babylon Health app allowed users to gain access to other users’ video consultations with doctors. The telehealth start-up fixed the issue as soon as it became aware.
  • Greenworks’ website fell victim to a highly-sophisticated and self-destructing skimmer code attack. The malware grabbed payment card details of customers from the checkout page of the website.

New Threats

Talking about new threats, security researchers discovered two new vulnerabilities - CrossTalk and SGAxe - affecting Intel processors. Also, the Armv8-A CPU architecture was also found to be vulnerable to a newly found Straight-Line Speculation (SLS) flaw.

  • US energy providers were targeted by a new malware, dubbed FlowCloud, that gave the TA410 threat actor group total control over compromised devices. The attacks took place between July and November 2019 and the malware was pushed using malicious macros.
  • Earth Empusa threat actor group used AndroidSpy Android malware to target users in Tibet and Turkey. The attackers leveraged social engineering lures to trick its targets into visiting phishing pages designed to deliver the malware.
  • Threat actors leveraged a fake ‘Black Lives Matter’ voting campaign to spread the Trickbot trojan. It was delivered through phishing emails that pretended to be from ‘Country administration’.
  • Security experts discovered two new vulnerabilities - CrossTalk and SGAxe - affecting Intel processors. While the former affects some client and Intel Xeon E3 processors, the latter can be successfully used against devices using Intel’s 9th gen Coffee Lake Refresh processors.
  • Around 12 fake contact-tracing apps, distributed via third-party stores and websites, have been found affecting Android phone users across the world. These apps include malware like Anubis and SpyNote.
  • The week witnessed the discovery of two new ransomware - Thanos and Avaddon. While the Thanos ransomware uses the RIPlace technique to evade detection, Avaddon made its appearance in a massive spam campaign that targeted users worldwide.
  • KingMiner botnet also returned in an attack campaign that targeted vulnerable MSSQL databases. The purpose of the attack was to mine Monero using XMRig cryptominer.
  • Google researchers flagged bugs in a speculative-execution exploit defense present in the Linux kernel. This could make AMD-powered Linux computers vulnerable to side-channel attacks.
  • A new vulnerability, named Straight-Line Speculation (SLS), has been found impacting Armv8-A CPU architecture. The flaw, tracked as CVE-2020-13844, can allow malicious actors to steal data from Armv-A processors.
  • Valak malware’s stealing capability has been enhanced with a new plugin called ‘clientgrabber’. With this new addition, the malware could steal email credentials from the registry of a compromised machine.
  • Tor2Mine, a cryptocurrency mining group added new tactics, techniques, and procedures to harvest credentials and steal more money. It is also using a new IP address and two new domains to carry out its operations.
  • Russia-linked Gamaredon hacker group included a new CodeBuilder module to target Microsoft Outlook email clients with malicious macro scripts.
  • After LockBit, Maze operators added Ragnar ransomware operators in its latest extortion cartel strategy.

 Tags

straight line speculation sls attack
crosstalk attack
a1 telekom
ragnar ransomware
fisher paykel appliances
kingminer botnet
vt san antonio aerospace

Posted on: June 12, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!